iCompaas Support

Profile Applicability:

• Level 1

Description:

Amazon Elastic File System (EFS) provides scalable and elastic network file storage that can be used with AWS Cloud services and on-premises resources. EFS Access Points allow applications to connect to EFS, providing application-specific entry points. Enforcing a root directory for EFS access points ensures that users and applications connecting to EFS via the access point are restricted to a specific directory in the file system. This is a security measure to prevent accidental or unauthorized access to other parts of the file system.

Enforcing a root directory for EFS access points is crucial to ensure that applications are isolated within their own directory, reducing the risk of unauthorized access to other areas of the EFS.

Rationale:

• Security: By enforcing a root directory for access points, you ensure that users or applications can only access the designated directory, minimizing the risk of unauthorized access or data leakage from other parts of the file system.
  
  

• Access Control: This method improves the access control strategy, ensuring that access is limited and controlled to only the required directory.
  
  

• Compliance: Certain compliance frameworks (such as PCI-DSS, SOC 2, HIPAA) require ensuring that sensitive information is stored and accessed in a restricted manner. Enforcing a root directory helps fulfill these requirements.
  
  

Impact:

Pros:

• Enhanced Security: Prevents unauthorized access to parts of the file system outside the specified root directory.
  
  

• Better Access Control: Helps organizations implement stricter access controls based on application-specific needs.
  
  

• Compliance: Helps meet data privacy and access control requirements in compliance with regulatory frameworks.
  
  

Cons:

• Reduced Flexibility: Enforcing a root directory limits the access for users or applications, which could be restrictive if more directory-level access is required in the future.
  
  

• Configuration Complexity: More configuration may be needed to correctly define the root directory and ensure that applications or users can access the necessary resources.
  
  

Default Value:

By default, EFS access points do not enforce a root directory. Access points allow unrestricted access to the entire EFS file system unless explicitly restricted by a root directory configuration.

Pre-requisite:

• AWS IAM Permissions:
  
  

  • elasticfilesystem:DescribeAccessPoints
    
    

  • elasticfilesystem:CreateAccessPoint
    
    

  • elasticfilesystem:UpdateAccessPoint
    
    

  • elasticfilesystem:DeleteAccessPoint
    
    

• AWS CLI installed and configured.
  
  

• EFS File System must be created and active.
  
  

• Root Directory path should be planned and created within the EFS file system.
  
  

Remediation:

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   
   

2. Navigate to Amazon EFS under Services.
   
   

3. In the EFS Console, go to Access Points and select the access point you want to verify.
   
   

4. Under Access Point Details, verify the Root Directory section:
   
   

   • If Root Directory is enforced, the path will be displayed (e.g., /path/to/directory).
     
     

   • If the Root Directory is not configured, the access point is not enforcing a root directory.
     
     

Using AWS CLI:

To check if EFS access points enforce a root directory, run:

aws efs describe-access-points --region <region> --query "AccessPoints[*].[AccessPointId,RootDirectory]"

1. In the result, look for the RootDirectory field:
   
   

   • If it is empty or not configured, the access point does not enforce a root directory.
     
     

   • If the RootDirectory is configured, it will show the directory path.
     

Implementation Steps:

Using AWS Console:

1. Sign in to the AWS Management Console and navigate to Amazon EFS.
   
   

2. Go to Access Points and select the access point you want to modify or create a new one.
   
   

3. In the Root Directory section, specify the directory path that you want to enforce as the root directory.
   
   

   • Example: /path/to/directory
     
     

4. Save the changes to enforce the root directory for the access point.
   
   

Using AWS CLI:

To create a new EFS access point with a root directory enforced, use the following command:

aws efs create-access-point \

  --file-system-id <file-system-id> \

  --posix-user Uid=1001,Gid=1001 \

  --root-directory 'Path=/path/to/directory,CreationInfo={OwnerUid=1001,OwnerGid=1001,Permissions=750}

To update an existing access point to enforce a root directory, use the following command:

aws efs update-access-point \

  --access-point-id <access-point-id> \

  --root-directory 'Path=/path/to/directory,CreationInfo={OwnerUid=1001,OwnerGid=1001,Permissions=750}'

After enabling the root directory, verify by running:

aws efs describe-access-points --region <region> --query "AccessPoints[*].[AccessPointId,RootDirectory]"

Backout Plan:

If enforcing a root directory causes issues (e.g., access issues for applications or users):

Identify the affected access point and review the configuration.

Revert the changes by removing the root directory enforcement:

aws efs update-access-point --access-point-id <access-point-id> --root-directory 'Path=,CreationInfo={OwnerUid=1001,OwnerGid=1001,Permissions=750}'

Monitor the domain to ensure it functions correctly and that access is restored.

Note :

• Applications Access: When enforcing a root directory, ensure that applications are updated to point to the correct directory to avoid errors or denied access.
  
  

• Permissions: Verify that the root directory has the appropriate permissions for applications or users accessing it.
  

References:

• Amazon EFS Access Points Documentation
  
  

• AWS CLI: describe-access-points
  
  

• AWS CLI: create-access-point
  

CIS Controls Mapping: